On Thu, May 19, 2005 at 07:45:22PM +0200, Chadley Wilson wrote:
> Greetings,
>
> Sort of still a newbie with iptables! I ve been at it for a while, but
> struggle to understand when things don't work when I think they are right.
>
> OK heres the problem:
>
> I have a dns server configure, master zone int network, slave is external dns
> box.
>
> Dhcp server only internal.
>
> Iptables must do the following:
> allow one int ip (me) to the external int face for everything. (the external
> interface is actually our other internal network which has the gateway to the
> internet)
>
> when I set my default policy to drop, my DNS and windows file sharing from the
> ext network doesn't work. My mail and internet still work. I have removed the
> broken lines and set my policy back to ACCEPT. But I would feel much safer if
> it were drop and only allow services that I choose. As it is now, I can
> access the net, mail and windows file shares, the dns for the FTP server is
> working and all is bliss.
> How do I make this more secure?
>
> etel is our gateway
> my router has 6 cards in it. 5 are bond0 1 eth0 int and ext respectively.
>
> Attached is my iptables file,
>
> Please could some one show me what is wrong I can't figure it out.
> ######## Firewall Setup ##################
> ######## Config ##################
> #set -x
> ipt="/usr/sbin/iptables"
> ext="eth0"
> int="bond0"
> lo="127.0.0.1"
> chad="192.168.2.5"
> etel="196.25.100.28"
> #################################################
>
> #################################################
> #### ####
> #### BASIC SETUP ####
> #### ####
> #################################################
>
> #Enable IP Forwarding
> echo "1" >> /proc/sys/net/ipv4/ip_forward
>
> #Clear All Tables
> ${ipt} -t filter -F
> ${ipt} -t nat -F
there's also a mangle table...
iptables -t mangle -F
> ## Allow all from local interfaces [localhost]
> ${ipt} -t filter -A INPUT -s ${lo} -j ACCEPT
>
>
> ## Allow all prerouting
> ${ipt} -t nat -A PREROUTING -s 192.168.2.0/255.255.255.0 -j ACCEPT
> ${ipt} -t nat -A PREROUTING -s 196.25.100.5/255.255.255.0 -j ACCEPT
um--what exactly are you trying to accomplish with these?
> ## Allow all forwarding
> ${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -m state --state RELATED,ESTABLISHED -j ACCEPT
> ${ipt} -t filter -A FORWARD -i ${ext} -o ${int} -m state --state RELATED,ESTABLISHED -j ACCEPT
how about just:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> ## Allow pings
> ${ipt} -t filter -A INPUT -p icmp -j ACCEPT
>
> ## Keep established connections on all interfaces
> ${ipt} -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
we just did this above...
> ${ipt} -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> ## Accept www from internet {ext}
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 80 -j ACCEPT
you run a web server on your firewall?
> #################################################
> #### ####
> #### RULES ####
> #### ####
> #################################################
>
> ## Masquerade {chad} outgoing to internet
> ${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -j MASQUERADE
> ${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -s ${chad} -j ACCEPT
>
> ## Accept SSH from {etel}
> ${ipt} -t filter -A INPUT -i ${ext} -s ${etel} -p tcp --dport 22 -j ACCEPT
>
> ## Accept ssh from all internal
> ${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 22 -j ACCEPT
>
> ## Accept telnet
> ${ipt} -t filter -A INPUT -p tcp --dport 23 -j ACCEPT
> ${ipt} -t filter -A INPUT -p udp --dport 23 -j ACCEPT
1) telnet only uses TCP, not UDP.
2) telnet? c'mon, what is this? 1997?
> ## Accept incoming SMTP
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 25 -j ACCEPT
>
> ## Accept external POP3
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 110 -j ACCEPT
you run SMTP and POP3 servers on your firewall too? i'm sensing a
pattern here...
> ## Allow mail from ext to int
> ${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 25 --state NEW,ESTABLISHED,RELATED -j ACCEPT
> ${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 110 --state NEW,ESTABLISHED,RELATED -j ACCEPT
um--we've already ACCEPTed all ESTABLISHED,RELATED packets in
FORWARD--so it's redundant to keep using them in rules. so we need to
create rules that allow packets that are NEW. if you're trying to allow
$chad to connect to 196.25.100.21 on SMTP and POP3--those should be
dport, not sport:
iptables -A FORWARD -i $int -o $ext -p tcp -s $chad \
-d 196.25.100.21 --dport 25 -j ACCEPT
iptables -A FORWARD -i $int -o $ext -p tcp -s $chad \
-d 196.25.100.21 --dport 110 -j ACCEPT
from the text of you message, you want to allow $chad out on any
service, though--right? then how about:
iptables -A FORWARD -i $int -o $ext -p tcp -s $chad -j ACCEPT
(which you already have in here if we scroll back up a bit)
> ## Allow DNS updates
> ${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 53 -j ACCEPT
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 53 -j ACCEPT
the DNS server runs on the firewall too, eh? how's about:
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
(you need TCP for zone transfers, and UDP for regular name resolution
requests)
> ## Accept all from local interfaces
> ${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
> ${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
a rule so nice, we need it twice?
> ## Drop all the rest, incoming , and forward between interfaces
> #${ipt} -t filter -A INPUT -j DROP
> #${ipt} -t filter -A FORWARD -j DROP
-j
--
"Peter: Hey, Brian. If cops are pigs, does that make you a Snausage?
Brian: Clever, Peter. Did you stay up all night writing that?
Peter: No, I got to bed around two, two-thirty."
--Family Guy
